washingtonpost.com
By Joseph Menn
More than a half-dozen federal departments and agencies backed a proposal to ban future sales of the most popular home routers in the United States on the grounds that the vendor’s ties to mainland China make them a national security risk, according to people briefed on the matter and a communication reviewed by The Washington Post.
The proposal, which arose from a months-long risk assessment, calls for blocking sales of networking devices from TP-Link Systems of Irvine, California, which was spun off from a China-based company, TP-Link Technologies, but owns some of that company’s former assets in China. The ban was proposed by the Commerce Department and supported this summer by an interagency process that includes the Departments of Homeland Security, Justice and Defense, the people said.
“TP-Link vigorously disputes any allegation that its products present national security risks to the United States,” Ricca Silverio, a spokeswoman for TP-Link Systems, said in a statement. “TP-Link is a U.S. company committed to supplying high-quality and secure products to the U.S. market and beyond.”
If imposed, the ban would be among the largest in consumer history and a possible sign that the East-West divide over tech independence is still deepening amid reports of accelerated Chinese government-supported hacking. Only the legislated ban of Chinese-owned TikTok, which President Donald Trump has averted with executive orders and a pending sale, would impact more U.S. consumers.
None of the agencies involved responded to requests to comment on the proposal, which is now back in the hands of Commerce. While Commerce initially proposed the ban and sought the interagency review, it has taken no action since that process was completed. It could still decide to not issue a ban against TP-Link routers or could reach an agreement with the company for a different resolution of its concerns. The White House, which the people said supported the proposed ban, could also change its mind.
A former senior Defense Department official and two other people familiar with the details described the ban proposal to The Post; they spoke on the condition of anonymity to reveal internal deliberations. One of those people and four other current officials confirmed that the proposal had secured interagency approval.
A White House spokesperson asked about the proposed ban declined to address it specifically. “We are aware of active efforts by the Chinese government to exploit critical security vulnerabilities and are working with all relevant parties to assess exposure and mitigate the damage,” the spokesperson said.
Trump met Chinese leader Xi Jinping on Thursday in South Korea, where they reached an agreement that lowered the temperature of the conflict over trade between the two countries. The negotiations leading to that deal have made any move toward banning TP-Link routers less likely in the near term, two of the people said. One of them said the administration viewed TP-Link as a bargaining chip in further U.S.-China trade talks.
A spokesman for TP-Link Systems, Jeff Seedman, called it “nonsensical to suggest” that any measure taken against the company could serve as a “bargaining chip” in U.S.-China talks. “Any adverse action against TP-Link would have no impact on China, but would harm an American company,” he said.
Commerce officials concluded TP-Link Systems products pose a risk because the U.S.-based company’s products handle sensitive American data and because the officials believe it remains subject to jurisdiction or influence by the Chinese government. TP-Link Systems denies that, saying that it fully split from the Chinese TP-Link Technologies over the past three years. The Commerce proposal mentions the prospect that the company could offer a deal after notification that would satisfy the government and forestall a ban, one of the people said, but the government would have to be certain that key hardware and software was being developed without influence from China.
TP-Link Systems has sole ownership of some engineering, design and manufacturing capabilities in China that were once part of China-based TP-Link Technologies and operates them without Chinese government supervision, according to company spokeswoman Silverio. TP-Link Technologies serves only the Chinese market, she said. U.S.-based TP-Link Systems has about 500 employees in the U.S. and about 11,000 in China, Silverio said, adding that some of them work in facilities physically adjacent to those still owned by TP-Link Technologies.
TP-Link Systems’s website says it has 36 percent of the U.S. market for home routers by direct unit sales, while other estimates and congressional testimony put the share above 50 percent. A substantial portion of TP-Link routers and those of its competitors are purchased or leased through internet service providers, industry analysts said.
Federal regulations partly based on executive orders issued by Trump in his first term and by President Joe Biden empower the commerce secretary to make a risk assessment of transactions in “information and communications technology or services” that involve material from entities “controlled by, or subject to the jurisdiction or direction of foreign adversaries” and may therefore pose an “undue or unacceptable” security risk.
Last year, Commerce Secretary Gina Raimondo blocked U.S. sales of antivirus software from Russia’s Kaspersky Lab, noting the extensive access such security programs have to computers. “Russia has shown it has the capacity — and even more than that, the intent — to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans, and that’s why we are compelled to take the action we are taking today,” Raimondo said at the time. Kaspersky denied that its U.S. activities posed a security risk.
Under the law, if the commerce secretary determines there is a security risk from foreign-influenced technology, the department can suggest ways to mitigate those risks. In the case of TP-Link Systems, Commerce officials decided that no mitigation short of a prohibition would suffice, according to the people briefed on the interagency review.
Seedman said any concerns “are fully resolvable by a common-sense mix of measures like onshoring key development functions, making strong and coordinated investments in cybersecurity, and being transparent with the government.” TP-Link Systems, he added, “has repeatedly sought Commerce’s input as to where the government believes there could be residual concerns. Commerce has so far not responded to TP-Link’s outreach in that regard.”
The proposed ban’s approval by the other federal departments returned it to Commerce, leaving the department free to issue a formal notification to TP-Link Systems that would give the company 30 days to respond. Commerce would then have 30 days to consider any objections before any ban would take effect.
The Post could not determine why Commerce has not taken further action. Some of those briefed said officials might by leery of stepping on any toes in the White House, especially amid trade talks with China that involve other technology issues. More recently, the government shutdown has become the top priority at Commerce and is occupying the time of the officials who remain on the job, the people said.
None of those interviewed for this article said they knew of any substantive objections inside government to the ban, which has been sought by members of both parties in Congress.
Paul Triolo, a partner at DGA Group in Washington who monitors U.S.-China technology issues, said recently it was not clear whether the interagency decision required an additional White House sign-off. “It may be too small of a thing to create a reaction from China,” he said.
Sen. Tom Cotton (R-Arkansas), who chairs the Senate Intelligence Committee, pushed for an investigation of TP-Link and is frustrated that no action has been taken, a spokesman said. “The continued sale of networking equipment linked to communist China in the United States puts our security at risk and American competitors at a disadvantage,” Cotton told The Post.
Many brands of home and small office routers, including those from TP-Link, have been used as stepping stones in recent years by Chinese government-supported hacking groups, which break into them to disguise where they are coming from, government and private-sector cybersecurity officials determined.
Some security experts have complained that the company has been slow to fix flaws after they are exposed. Last month, TP-Link Systems said it was still working to patch U.S. routers exposed to a high-severity weakness that had been reported in May. The company said its response time was within industry norms and that some measures show it has fewer reported flaws than rivals.
TP-Link Systems gear did not play a notable role in the major hack of U.S. telecommunication carriers exposed more than a year ago, which Sen. Mark R. Warner (D-Virginia) called the “worst telecom hack in our nation’s history.” But Microsoft said last year that hacked TP-Link Systems routers made up most of a covert network used by Chinese attackers since at least 2021 to steal log-in credentials from the software giant’s sensitive customers.
Microsoft said that network was used by multiple Chinese groups on spying missions. TP-Link Systems issued a patch for the vulnerable devices in November, four months after they were reported being hacked, even though they had been designated as end-of-life and too old for such updates. TP-Link said its action showed its willingness to go beyond what was legally required to help with security issues.
Some other U.S. router makers also depend on manufacturers in China. But U.S. officials said they are more concerned about TP-Link because under Chinese law companies there must comply with intelligence agency requests and notify Beijing of security flaws. They said the Chinese arm could even be compelled to push out software updates that could change the way the devices function.
California-based TP-Link Systems said it is “not subject to the direction of the PRC [Chinese government] intel apparatus.” It told The Post that only U.S. engineers can push updates to U.S. customers.
TP-Link Systems is owned by one of the two brothers who started TP-Link Technologies in China and his wife. The company said the brother in Irvine, chief executive Jeffrey (Jianjun) Chao, is pursuing U.S. citizenship and plans to expand the company’s American workforce.
A federal judge hearing an unrelated patent dispute in Texas against TP-Link Technologies concluded two years ago that frequent changes in that company’s corporate structure seemed designed to avoid accountability, telling an attorney for the Chinese company that “the evidence that we have indicates that your clients are deliberately trying to hide their relationship with TP-Link USA,” as the American operation was called at the time.
“The Texas case did not even involve TP-Link’s California company,” Silverio told The Post. “The defendants in that case were TP-Link foreign entities that were not affiliated with the California company at the time. The defendants later became affiliated with TP-Link’s California entity after a series of corporate reorganizations.”
It is unclear exactly which networking products would be covered under what is technically defined as a “prohibition” by Commerce on certain transactions, though they would include home and small office routers.
In related work on TP-Link Systems, the Justice Department’s antitrust unit is weighing criminal charges, based on claims that TP-Link products have been subsidized by the Chinese government and artificially priced under U.S. rivals, according to the people briefed on the interagency discussions. The company says it does not price products lower than they cost to make, and its spokeswoman said it has not heard from the Justice Department regarding an antitrust probe but would cooperate with any investigation.
The interagency probe began under the Biden administration and gained steam after the inauguration amid Trump’s tough talk on China, officials said. The possibility of a ban was first reported by the Wall Street Journal late last year, and the criminal antitrust probe was reported in April by Bloomberg News. Bloomberg reported this month that the administration was considering other actions.
In a sanctions package including more than 150 new measures, the British government said it was closing loopholes being exploited by the Kremlin.
Germany's top security official says the country will bar the use of critical components made by Chinese companies Huawei and ZTE in core parts of its 5G networks in two steps starting in 2026.
U.S. officials imposed the “first of its kind” ban arguing that Kaspersky threatens U.S. national security because of its links to Russia.
In a recent regulatory development, the European Union (EU) has voted to ban cryptocurrency payments to "hosted wallets" using unidentified self-custody crypto wallets.
As the damage caused by ransomware and profits flowing to attackers reaches record levels, a panel of cybersecurity and policy experts reviewed what it might take
A report yesterday revealed that China has banned government officials from using iPhones and other foreign technology within government agencies. Now, a report from Bloomberg says that this is only the start of China’s crackdown on iPhone, with a much broader set of restrictions also in the works.
The directive is the latest step in Beijing’s campaign to cut reliance on foreign technology and could hurt Apple’s business in the country.
Cyberspace Administration says chip maker failed review, in a move that seems aimed at hitting back at U.S. chip ban
The government of France has banned TikTok – and all other recreational apps – from phones issued to its employees.
The nation's ministère de la transformation et de la fonction publiques last Friday issued a statement PDF announcing the policy, which minister of transformation and public service Stanislas Guerini justified on grounds that no recreational apps have sufficiently robust security for them to be deployed on government-owned devices.
TikTok’s software development kits could undermine Joe Biden's order to stop internet traffic flowing from federal employees' phones to TikTok within 30 days.
COPENHAGEN, Denmark (AP) — The Danish parliament on Tuesday urged lawmakers and employees with the 179-member assembly against having TikTok on work phones as a cybersecurity measure, saying “there is a risk of espionage.”
The five-member FCC said it has voted unanimously to adopt new rules that will block the importation or sale of certain technology products that pose security risks to U.S. critical infrastructure.
The Government of Canada announced its intention to ban the use of Huawei and ZTE telecommunications equipment and services across the country's 5G and 4G networks.
